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Abstract 

In the Russian cards problem, Alice, Bob and Cath draw three, 
three and one cards, respectively, from a deck of seven. Alice and 
Bob must then communicate their entire hand to each other, without 
Cath learning the owner of a single card. Unlike many traditional 
problems in cryptography, however, they are not allowed to hide or 
codify the messages they exchange from Cath. The problem is then 
to find methods through which they can achieve this. One elegant 
solution, due to Atkinson, considers the cards as points in a finite 
projective plane. 

In this paper we consider the generalized Russian cards problem, 
where the number of cards that each player draws is a, b and c, respec- 
tively, from a deck of a + b + c cards. We propose a general solution 
in the spirit of Atkinson's, although based on finite vector spaces, 
and call it the "colouring protocol" , as it involves colourings of affine 
subsets. 

Our main results show that the colouring protocol provides a so- 
lution to the generalized Russian cards problem in cases where a is a 
power of a prime and either 

1. c < a and b = 0(ac) or 
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Sevilla, Spain. Hans van Ditmarsch is also affiliated to IMSc, Chennai, India, as a re- 
search associate. 
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2. c = 0(a 2 ) and b = 0(c 2 ). 

This improves substantially on the collection of parameters for which 
solutions are known. In particular, it is the first solution which allows 
the eavesdropper to have more cards than one of the players. 

1 Introduction 

In this article we present protocols based on finite vector spaces for three 
card players exchanging secrets. The general idea is that two of the three 
agents wish to share confidential information and actively cooperate in doing 
so, whereas the third agent plays the role of an eavesdropper. As is common 
practice in the cryptography literature, we will henceforth call the agents 
exchanging secrets Alice and Bob. The eavesdropper (usually called Eve) is 
able to hear all communications, and Alice and Bob are aware of that. We 
call her Cath. As a consequence, in such information-exchanging protocols 
between Alice and Bob, Cath typically acquires quite a bit of data, but 
not enough to be able to deduce any secrets; the latter a requirement for a 
protocol to be successful. 

Let us describe the problem we are concerned with: 

The generalized Russian cards problem 

Alice, Bob and Cath each draw a, b and c cards, respectively, from 
a deck of size a + b + c. All players know which cards were in 
the deck and how many of them the other players drew, but each 
player may only see the cards in their own hand. 

Alice and Bob, however, want to know exactly which cards the 
other holds. Moreover, they do not want for Cath to learn who 
holds any card whatsoever, aside of course from her own cards. 

However, they may only do so by making true, clear, public an- 
nouncements, so that Cath can learn all the information that they 
exchange. 

Can Alice and Bob achieve this? 

The generalized Russian cards problem is parametrized by the triple 
(a, b, c), which we will often call the size of the deal. A (possible) solution to 
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the generalized Russian cards problem is a protocol; that is, a series of steps 
that Alice and Bob must follow in order to achieve their goal. Later we shall 
give some constraints on what constitutes a valid or successful protocol. 

Solutions to the generalized Russian cards problem can often be formu- 
lated in purely combinatorial or even geometric terms. One protocol that is 
known, and we shall discuss below, views cards as points in finite projective 
planes. This has inspired the present work, whose aim was to find a variant 
or generalization which solved more instances of the problem. The protocol 
we propose is, to the best of our knowledge, the first solution to the gener- 
alized Russian cards problem which works in cases where Cath holds more 
cards than Alice. 

Let us first present the projective geometry protocol, suggested by Mike 
Atkinson in 2001. Consider players Alice and Bob each drawing three cards 
from a deck of seven cards, while Cath gets the remaining card. One way 
for Alice and Bob to communicate their cards to each other by way of public 
announcements, without informing Cath of any of their cards, is when Alice 
announces that her hand of cards is a line in a projective plane consisting of 
seven points (cards). Or, to be precise, Alice assigns a point in the projec- 
tive plane to each card in such a way that her own hand forms a line, and 
announces 

If all the cards in the deck are arranged in the projective plane 
in the way I am telling you, then my hand forms a line. 

After this, it suffices for Bob to announce Cath's card. Why does this 
work? 

Suppose that the cards are numbered 0, 1, . . . , 6, that Alice holds the cards 
0, 1 and 2, Bob holds 3, 4, and 5, and therefore Cath holds 6. Alice announces: 
"My hand of cards corresponds to one of the lines in the projective plane 
whose lines are 012, 034, 056, 135, 146, 236, and 245." (See Figure [I]) Bob 
then announces: "Cath holds 6." After Alice's announcement, Cath, who 
holds card 6, can eliminate from the seven triples the ones containing 6: 
056, 146, and 236. The remaining hands are: 012, 034, 135 and 245. Cath 
therefore cannot deduce that Alice has 0, because 135 is a possible hand of 
Alice. She also cannot deduce that Alice does not have 0, because Alice's 
actual hand 012 is also a possible hand. And so on, for all possible cards of 
Alice. Because Alice does not know which card Cath actually holds, we have 
to make sure that the protocol would work even if Cath held a different one; 
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Figure 1: Alice holds a line in the 7-point projective plane 

otherwise, Alice would risk giving a secret away to Cath, yet we are only 
interested in protocols that work unconditionally. 

Meanwhile, Bob learns Alice's cards from her announcement, because all 
but 012 contain either a 3, a 4, or a 5. Again, we have to do this for all 
card triples xyz, not just for Bob's actual hand 345. In the end, he knows 
Cath's card and can announce it, from which Alice also learns the entire deal 
of cards. 

There are other protocols for this setting of card dealing players; see e.g. 
PQ El E] • A possibly better-known solution to the riddle make Alice and Bob 
both announce the sum of their cards modulo 7 (i.e., modulo the number of 
cards in the pack); this was the proposed solution when the problem appeared 
in the Moscow Mathematics Olympiad in 2000 [5]. This protocol works in 
many more cases, provided that Cath holds only one card j2]. 

The Russian cards problem itself is much older and originates with Kirk- 
man [1] . There, the solution takes the form of a design, a collection of subsets 
of a given set that satisfies certain regulaties [8]. The design consists of seven 
triples — and accidentally these are the lines that form the projective geomet- 
ric plane. Cryptography based on card deals is also investigated in various 
other, not necessarily related publications, such as [6j [7] . 

The instances for which the generalized Russian cards problem has known 
solutions are the following: 

1. The case (3, 3, 1) has been extensively studied and has many solutions 
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2. The case (4,4,2) has an unusual solution given in [TU] . 

3. All cases (a, 2, 1) provided a = 0, 4 (mod 6) have been solved in pQ. 

4. All case^j] (a, 6, 1) with both a, 6 > 2 have been solved in [2]. 

5. If c + 1 < a then there is a solution for b = 0(a 2 ), somewhat in the 
spirit of Atkinson's pp. 

In this paper, we provide solutions for the cases where a is a power of a 
prime and either 

6. c + 1 < a and b = O(ao), thus improving on [5] when cCaor 

7. b = 0(c 2 ) and either c = 0(a 3 ^ 2 ) or c = 0(a 2 ), the first known solutions 
for c > a. 

Let us now consider a simple example of the protocol we will present. 
Suppose there are 25 cards, of which Alice holds 5, Bob 17 and Cath 3. A 
suitable protocol for Alice and Bob to inform each other of their cards is, 
similar to the above, that Alice first announces that her cards are a line in 
a two-dimensional vector space with characteristic five, i.e., F 2 . After this, 
Bob announces Cath's cards. 

The 25 cards in the deck D could be named 0, 1, ... , 24, or they could be 
all clubs and all hearts except for the ace of hearts, or they could be dominoes 
instead of cards. The only thing that matters is that the number of cards 
is the same as the number of points in F|. Alice's announcement can then 
be represented as a bijection / : D — > ¥\, where ¥\ may be represented as 
{ij\0<i,j<4}. 

Why does this inform Bob of Alice's cards? Consider the typical config- 
uration in Figure [2j left-hand side, where Alice's cards are represented as ■, 
Bob's as o and Cath's as A. As before, Alice's announcement rules out some 
possibilities for her hand. She cannot have, for example, {00, 11,22,23,24}. 

From Bob's perspective, Alice's announcement is sufficient fot him to 
determine her hand. Suppose that A, C are the sets of cards that Alice and 
Cath hold, respectively. Then, AU C contains eight points, and thus cannot 
contain two different lines; as two lines intersect in at most one point, any 
set in Fg containing two lines must have at least nine elements. 

1 This subsumes the case (3, b, 1) for b > 3, also covered previously in [T]. 
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Figure 2: Card deals in F5 



On the other hand, for Cath, this information is insufficient to determine 
the ownership of a single card not in her possession. As an example, let us 
take card 00 of Alice's. Observe that there is a line in F5 not containing 00 
but still avoiding Cath's cards 31, 41, and 42, for example as in the right- 
hand side of Figure [2] More generally, for any subset of three points in F5 
and any other point x, we can find a line avoiding these three points and 
containing x and another such line not containing x. 

The same trick works if Cath has fewer than three cards, but if she has 
four cards we cannot rule out that a nine-point set contain two lines. And 
if she has even more than four (and maybe even more cards than Alice) 
this only gets worse. We then need another trick, adding more steps to the 
protocol. 

Suppose that Cath has as many cards as Alice or perhaps even more. 
Then, after Alice maps the deck into a finite vector space V (which in this 
case will usually be quite a bit larger than F3), Bob may not be able to 
immediately distinguish which of the lines contained in A U C is Alice's. 
What Bob will do is to colour the lines of V, so that each line that Alice 
might have has is assigned a different colour, and ask, Alice, what colour is 
your hand? 

Of course, Bob must be careful in how he colours the lines! If he uses 
too many colours, for example a distinct colour for each line in V, Cath may 
learn exactly which line Alice holds. And, if he does not use enough colours, 
he may still not know which cards belong to whom, as maybe Cath also holds 
a line of the same colour. But it is possible to give conditions under which a 
colouring is suitable for the protocol to be successful. 

This is the basic idea of the colouring protocol, which we shall describe 
formally in Section [3j after introducing some preliminary notions about pro- 
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tocols in Section [2] The protocol we shall present does not assume that Alice 
holds a line, but rather a linear subset of V of any dimension. Although our 
protocol is based on finite vector spaces, it is essentially a generalization of 
Atkinson's, with our example based on Ff being a special case. In Section 
[3] we will also prove that the protocol provides a solution to the generalized 
Russian cards problem. 

However, this result will be based on the assumption that the protocol 
is executable, which is not the case for deals of arbitrary size (a,b,c). The 
following sections will study special cases in which the protocol may be ap- 
plied; in Section [4] we study the case when Alice's hand forms a hyperplane 
in V, while Section [5] studies the case when Alice's cards form a line. In 
both cases, we give explicit bounds on the parameters which ensure that the 
colouring protocol is executable. 

2 Card protocols 

Throughout this paper, we shall assume that D is a fixed, finite set of d 
"cards". A card deal is a partition (A,B,C) of D; the deal has size (a,b,c) 
if A is an a-set, B a 6-set and C a c-set, where by "x-set" we mean a set 
of cardinality x. We think of A as the hand of Alice, or that Alice holds A; 
similarly, B and C are the hands of Bob and Cath, respectively. In general 
we may simply assume that D = {1, . . . , a + b + c}, and define Deal(a, b, c) 
to be the set of partitions of D of size (a, b, c). 

Central to this text is the notion of protocol. Roughly, a protocol is a 
family of rules or instructions that Alice and Bob must follow in order to 
send out a sequence of public announcements. It suffices to think of an 
announcement as a pair a = {i,4>), where i is either Alice or Bob and is a 
'token'. Usually <ft is taken to be a statement about the game but it could 
also be another speech act such as asking a question or saying "Pass" . 

A sequence 

a = (i Ao), {h,<t>i), (in,<f>n) 

is a run. We shall write Ann(a, b, c) for the set of announcements and 
Run(a, b, c) for the set of runs, including the empty sequence. 

Players only have direct knowledge of their own cards, and thus at the be- 
ginning of the game should not be able to distinguish between different deals 
where they hold the same hand; thus, from Alice's perspective, (A,B,C) is 
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indistinguishable from (A', B', C) if A = A', and we write 

(A,B,C) A ~ e (A!,B',C). 

We may define analogous equivalence relations for Bob and Cath. After other 
agents have made announcements, each agent may incorporate them into 
their knowledge, including 'higher-order' reasoning about others' intentions 
and knowledge. 

Formally, we may define a protocol as follows: 

Definition 2.1 (Protocol). Let Deal = Deal(a, 6, c), Ann = Ann(a, b, c) and 
Run = Run(a, b, c). 

A protocol (with (a, 6, c) as parameters) is a function 

n :Deal x Run — > P(Ann) 

such that, for every deal 5 and run a, 

1. if (i, 0), (i 1 , (p') G ir(5, a), then i — i' 

2. if (i, 0) G 7v(5, a) and 5' ~ 5, then tt(5', a) = ir(5, a) . 

Thus once a deal has been given, a protocol assigns to each run a player 
who is to make the next announcement, and a set of "allowed announce- 
ments" for the player to make. Intuitively, the first property says that the 
next player to make a move is always determined (although the content of 
the announcement may vary); the second, that players may only choose their 
announcements based on the data they have access to. 

Protocols are non-deterministic in principle and hence may be exectued 
in many ways; an execution of a protocol is a pair (6, a), where 5 is a deal, 
a = (iq, (f>o), . . . , (i n , 4> n ) a run and, for all k < n, 

(i k +i,<f>k+i) e tt(<J, (i o ,0o), • • • , (4,0fc))- 

So far, we have described protocols in general but have said little about 
their objectives. Indeed, a protocol as described above may very well give lit- 
tle useful information to Alice or Bob, or perhaps give too much information 
to Cath. Let us now describe what it means for a protocol to be successful 
in our setting. 

The first objective we have is for Alice and Bob to know each other's 
cards (and hence the entire deal) after its execution: 
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Definition 2.2 (informativity). A run ((A, B,C),a) is informative for Alice 
if there is no other run ((A, B', C'),a) with C ^ C . 

Similarly, a run ((A, B, C), a) is informative for Bob if there is no other 
run ((A', B, C), a) with C ^ C. 

A protocol is informative if every execution that is long enough is infor- 
mative both for Alice and for Bob. 

Thus while tokens do not have an explicit meaning in principle, in practice 
they may be viewed as statements about the game. If Bob has agreed to only 
pass if he holds card 3, and Bob passes, then Alice can infer that he holds 
that card. 

Recall, however, that in the specification of the problem, all announce- 
ments must be "clear and truthful". Rather than assigning truth values to 
tokens, we will capture this in our formalization of the second goal of the 
protocol: that Cath does not learn who possesses any card she does not 
hold. 

Definition 2.3 (security). An execution ((A, B,C),a) of a protocol it is 
secure if for every x C there is 

1. a deal 5' = (A', B' , C) such that x e A' and (5', a) is also an execution 
of it, as well as 

2. a deal 5" = (A", B", C) such that x e B" and (5", a) is also an execu- 
tion of it . 

The protocol 7r is secure if every execution of it is secure. 

Thus after a secure execution, Cath does not know who holds any given 
card that is not hers, even if she entirely knows the protocol and recalls every 
announcement that each of the players made. This avoids, for example, 
protocols based on "secret codes", such as the above scenario where Bob 
passes when he has 3. 

The goal of the current paper is to find informative, secure protocols for 
the generalized Russian cards problem, as specified above. All protocols we 
shall consider will follow a basic scheme, described in the next section. 
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3 The colouring protocol 

In this section we shall describe the general colouring protocol, the central 
focus of this article. Before we do so, let us briefly describe some of the 
notation we shall use. 

In this paper, p will denote a prime or a power of a prime, and ¥ p the 
field with p elements. If d is any natural number, F^ denotes the vector space 
of dimension d over F p . For a line £ = x + \y, we say y is a directing vector 
of t. We denote by F^[e] the set of all e-dimensional affine spaces in F^, that 
is, all sets of the form x + V, where V is an e-dimensional subspace of F^; 
we call these e-spaces. 

For natural numbers d,n we define o~d{ri) to be the sum n d_1 + n d ~ 2 + 
. . . + n°. We know from basic algebra that 

. . n d - 1 
a d (n) = — . 

This will be a very useful quantity to keep in mind; for example, 

Lemma 3.1. Given x e F^ 7 there are a dip) distinct lines passing through x. 

Let p be a prime or a prime power and d > 2. Assume that Alice holds 
as many cards as points in an e-space of F^ (i.e. a = p e ) and that Alice, 
Bob and Cath together hold as many cards as points in the whole space (i.e. 
a + b + c = p d ). Let K be a set of k colours, identified with the numbers 
1, . . . , k. Colorings will be a crucial element in our protocol: 

Definition 3.1 (Colouring). A /c-colouring of e-spaces is a function 

t : Fj[e] -> K. 

That is, £ assigns a colour from {1, ... k} to each subspace of F^ of dimension 
e. Informally, the colouring protocol consists of the following four steps: 

1. Alice maps all the cards into F^ in such a way that her cards form an 
e-space. 

2. Bob announces a suitably chosen /c-colouring £ of e-spaces. 

3. Alice announces the colour of her hand according to £. 

4. Bob announces Cath's cards. 
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Of course, we have yet to specify what a suitable colouring is. This 
will be the focus of the rest of this section. In order to guarantee that 
the protocol is informative (Alice and Bob can deduce the card deal after 
the protocol's execution), the colouring must be distinguished, as defined 
below. For it to be safe (Cath cannot learn any of Alice or Bob's cards), the 
colouring should also be rich. However, colourings which are merely rich and 
distinguished may give Cath too much information, and thus we will have to 
replace the condition of being distinguished by the stronger version of being 
very distinguished. Once we have defined these notions the next question 
is for which a,b,c and k such colourings exist, i.e., when the protocol is 
executable; this shall be the topic of later sections. 

First let us focus on making the protocol be informative. Given a card 
deal (A,B,C), we should design £ in such a way that only A itself can be 
the e-space entirely contained in A U C of whichever colour Alice announces. 
In this way, Bob can unequivocally identify A. But there may be many such 
spaces contained in A U C, and at the beginning of the protocol Bob has no 
way of telling them apart. Thus we arrive at the following: 

Definition 3.2 (Distinguished colouring). We say that a k-colouring £ of e- 
spaces is distinguished for a set E C if no two distinct e-spaces contained 
entirely in E have the same colour. 




Figure 3: A simple 2-colouring. 



Example 3.1. Figure [3] illustrates the possible effects of a distinguished 
colouring. The left picture shows a 2-colouring that Bob announces after 
Alice maps the cards into F|. Throughout the examples we will continue to 
use black squares for Alice's cards, white circles for Bob's and black triangles 
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for Cath's, so that cards held by Alice or Cath are black-filled shapes. Alice's 
cards A form the line {00, 01, 02}. Cath's cards C are {12, 22}. The set AUC 
also contains the line {02, 12,22}. To enable Alice, by her later response, to 
distinguish both lines, Bob announces the 2-colouring in the the left picture. 
It has two 'colours': solid lines and dashed lines. Ellipses in the figure are 
lines as well, e.g. {22,10,21} is a dashed line. 

Suppose Alice announces that her line is solid. Then, Bob will learn 
Alice's cards and he can announce Cath's cards. This may seem safe to 
announce, because now only one solid line is contained in AU C . 

But the colouring that Bob announces is not safe. After Alice announces 
that her cards are a solid line, Cath discards all solid lines that meet some of 
her points. The right picture in Figure^ shows the only two lines that Cath 
cannot discard. This makes Cath learn that Alice has 02 and that Bob has 
10 and 21. 

Hence, colourings that are merely distinguished will make the colouring 
protocol informative but not necessarily safe. To remedy this, we must have 
enough colours, and the colouring must be rich enough, so that for every 
card that Cath does not hold she should consider it possible both that Alice 
holds it and that Alice does not hold it. 

Definition 3.3 (Rich colouring). A k-colouring £ is rich if for any c-set 
C , colour i, and point x C , there is an i-coloured e-space A containing x 
that avoids C and there also is an i-coloured e-space A 1 not containing x that 
avoids C . 

Example 3.2. Consider the trivial 1-colouring £ on the left-side image in 
Figure^ (all lines have the same colour). This colouring is distinguished for 
AU C , as this set only contains one line. 

It is also rich. To see this, note that given any c-set E and x (jL E, there 
are five lines passing through x, and thus one of them avoids E. 

This covers one condition for richness; for the other, picking y ^ x which 
is also not in E, we see that one line through y avoids {x} U E, and thus 
there is a line avoiding both x and E. 

Rich and distinguished colourings are almost suitable, but we shall need 
an extra condition. Notice that Cath knows that Bob is to design the colour- 
ing so that it turns out to be informative. Thus, the colouring not only 
should be distinguished for the actual set of cards AU C but also for every 
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set of cards that Bob wants Cath to consider as possible. These will be the 
sets with the same hue as A U C: 



Definition 3.4 (Hue). Let £ be a k-colouring of e-spaces. 

Given E,F C F^, we write E k,\ F if there are e-spaces U, W of the same 
colour such that U C E, W D (E \ U) = and 

F = (E \ U) U W. 

We will say E, F are one tone apart. 

We i/ien let ^ be the reflexive and transitive closure o/~f ; and define a 
hue to 6e an equivalence class under ^ . 



Returning to Example 3.2 our trivial one-colouring is rich and distin- 
guished, but it has one further property; for suppose that E has the same 
hue as A U B. Then, E can only contain one line (since it has only eight 
points) and thus £ is also distinguished for E. Colorings with this property 
will be very useful and we shall say they are very distinguished. 



Definition 3.5 (Very distinguished colouring). We say that a k-colouring £ 
is very dit 
hue as E. 



is very distinguished for E C F^ if £ is distinguished for every F of the same 




Figure 4: A 2-colouring which is distinguished but not very distinguished 

Example 3.3. Figure^ shows an example of a 2-colouring inF% for some n. 
We have represented only some points and lines in the space. Let's suppose 
that the colouring is 6-rich. In the situation represented on the left, the 
colouring is distinguished. AU C contains two lines with different colours. 
But the sets of points shown in the middle and right pictures are of the same 
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hue as A U C , and the set of points in the right picture contains two lines of 
the same colour. Then our colouring is not distinguished in the right picture, 
so it is not very distinguished in the left one. 

This means that the presented 1-colouring is not safe, even in the left 
picture. Cath may learn that the points p and q belong to Bob, reasoning as 
follows. Alice cannot have both points, because Alice's points are aligned, but 
she could have one of them, as can be seen in the center picture. However, 
if it were the case that Alice has one point (say, p), Bob should assign the 
line containing p,q a different colour to the other two lines in AUC, to keep 
Cath from learning that Bob has q. A similar reasoning applies to q, and 
thus Cath learns that Bob has both p and q. 

With these considerations we know which kind of colouring Bob should 
use: a suitably chosen colouring is rich and very distinguished, and as we 
shall see, the protocol so defined is safe and informative. 

Definition 3.6 (Colouring protocol). 

1. Alice maps all the cards into F^ in such a way that her cards form an 
e-space. 

2. Bob announces a rich and very distinguished k-colouring £. 

3. Alice announces the colour of her hand. 
4- Bob announces Cath's cards. 

Let us first see that the colouring protocol is indeed a protocol as defined 
in Section [2j To be precise, we must show that every announcement depends 
only on information available to the respective player. For example, suppose 
the protocol were to require that Bob instead of Alice maps all the cards into 
Fp in such a way that Alice's cards form an e-space. Unless Bob is told what 
to say by an outsider, he cannot make that announcement knowingly: for any 
given mapping into F^, there are many subsets of size a of the complement 
of Bob's cards that are not an e-space under this mapping. Similarly, Bob 
cannot announce Cath's cards in the last step if he does not know them. 

But this is not the case for the protocol we have described: 

Lemma 3.2. The colouring protocol is a protocol in the sense of Definition 
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Proof. We need to verify that at each stage each player has enough informa- 
tion to determine if their announcement is correct. Let us do this step by 
step: 

1. Alice maps all the cards into in such a way that her cards form an 
e-space. 

Alice knows her own cards, and this is sufficient for her to align them 
on an e-space; the other cards may then be distributed randomly. 

2. Bob announces a rich and very distinguished k-colouring £. 

That Bob can give such a colouring is not trivial, as it often will not 
exist. But suppose that a very distinguished colouring £ exist^] Then, 
Bob knows the cards in A U B and thus can check that £ is very dis- 
tinguished by enumerating all E ^ A U B and seeing whether £ is 
distinguished for E; richness can be tested in a similar way. Thus, by 
trial and error, Bob can find a suitable colouring £ and announce £0 

3. Alice announces the colour of her hand according to £. 

Alice knows what her cards are as well as Bob's colouring, so she can 
tell what color her hand is. 

4. Bob announces Cath's cards. 

Since £ is distinguished for AUC, once Alice announces i = £{A), Bob 
knows Alice's hand (it is the unique e-space in A U C of colour i) and 
therefore Cath's cards are those that are left over. 

□ 

It remains to check that the colouring protocol indeed provides a solution 
to the generalized Russian cards problem: 

Theorem 3.1. The colouring protocol is safe and informative, provided it is 
executable. 

2 If £ exists, we will say the protocol is executable. In later sections we shall analyze 
some cases where this always holds. 

3 The method we have described is extremely inefficient; it is better for Bob to construct 
£ directly. In the following sections, we will discuss cases where he can do this. 
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Proof. The protocol is obviously informative given Bob's last announcement, 
so we focus on safety. It suffices to check that Cath cannot deduce Alice's 
cards even after Bob's announcement of £ and Alice's announcement of % = 

First pick x that Cath does not hold. Because £ is rich, there is an e-space 
A' with colour i passing through x and not meeting C. Further, note that 
A U C ~f A' U C, so that £ is also very distinguished for A' U C. Then, it is 
possible from Cath's point of view that Alice holds all cards in A' and thus 
holds x. 

The argument that Cath also considers it possible that Alice does not 
hold x is very similar. Since the set C has exactly c elements, there is a 
space A" with colour % not meeting C U {x}, so that reasoning as above, it is 
conceivable from Cath's point of view that Alice's hand is A" and Bob holds 

x. □ 

It is pending to investigate for which a, b, c the colouring protocol is actu- 
ally executable. In the remaining sections of this paper we shall explore this 
question in the "extreme" cases where Alice has a hyperplane (i.e. e — d—1) 
and Alice has a line (i.e. e = 1), respectively. 



4 Alice has a hyperplane 

In this section we shall consider a relatively basic instance of the colouring 
protocol, the one closest to Atkinson's original proposal where we had d = 2. 
Here d > 2 is arbitrary, but e = d — 1, which means that Alice holds as 
many cards as points in a hyperplane of F^ and thus a = p d ~ l . Meanwhile, 
Cath holds few cards; less than p. This case is particularly simple because 
one can take k — 1 in the colouring protocol, i.e., it suffices to consider the 
trivial 1-colouring £ assigning the same colour to every hyperplane of Ffj. As 
a consequence, steps 2 and 3 become superfluous, reducing it to two steps. 

Definition 4.1 (Simplified colouring protocol). 

1. Alice announces a map from the deck to F^ 7 such that her cards corre- 
spond to a hyperplane. 

2. Bob announces Cath's cards. 
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Example 3.2 is a case where the simplified colouring protocol works, but 
there are many more: 

Theorem 4.1. Assume that a,b,c,p,d satisfy the following conditions: 

1. p is a prime or prime power, 

2. a = p^ 1 , 

3. a + b + c = p d , 

4- either d = 2 and c < p — 2 or d> 3 and c < p — 1. 

Then, the simplified colouring protocol is executable. 

Proof. In view of Theorem ??, we need only check that the trivial 1-colouring 
is suitable, i.e., that it is rich and very distinguished. 

Distinctiveness. Let us first show that the 1-colouring £ is very distin- 
guished for AU C. Since £ assigns the same colour to each hyperplane, this 
amounts to showing that there may only be one hyperplane in any E of the 
same hue as (A\JC). Fix such a set E. Note that cardinality is hue-invariant, 
so E contains p d ~ x + c points. 

Meanwhile, suppose P, Q are two distinct hyperplanes. Then, P U Q has 
at least 

2 p d ~ 1 -p d ~ 2 

points; this is because each hyperplane has points and their intersection 
is a space of dimension at most d — 2. So it is sufficient to have 

2p d - 1 -p d - 2 >p d - 1 + c 

or, equivalently, 

c < p d ~ x - p d - 2 (1) 

to conclude that there is no way that E contains a second hyperplane. 
It is then easy to show that Q holds under our constraints. 
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Richness. We have to check that £ is a rich 1-colouring. To this end, let 
E be a set with c elements and let x be a point not in E. 

First of all, note that given y ^ x, there are ad-i(p) hyperplanes touching 
both x and y. To see this, pick a hyperplane Q touching y but not x. Then, 
any hyperplane if touching both x and y intersects Q in a d — 2 space if', 
and conversely if' determines ff . But if' is a hyperplane over Q through y, 
which means that there are <Jd-i{p) values if' could take. 

Since E has c points there are at most c<Jd-iip) hyperplanes touching E 
and meeting x, whereas there are <Jd{p) hyperplanes touching x in total. So, 
it is sufficient to have that 

°dip) = pcrd-iip) + 1 > ca d -i(p) 

or, equivalently, 

1 

c < p + 



<7d-l(p) 

to conclude that at least one hyperplane through x does not meet E, fulfilling 
the first condition of Definition |3.3 However, this readily follows from our 



constraints, since c < p. 

As for the second condition, on the one hand, there are per dip) distinct 
hyperplanes in total in F^: there are <Jd{p) normal vectors for a hyperplane 
and each hyperplane has p parallel hyperplanes. On the other hand, there 
are strictly less than (c + l)<Jd(p) hyperplanes meeting E U {x}, since if 
z6EU {x} then there are a dip) hyperplanes passing through z and at least 
one hyperplane is counted twice. So, it is sufficient to have 

pa dip) > (c + iy d (p) 

or, equivalently, c < p — 1 to conclude that at least one hyperplane does not 
meet E U {x}. But this is already a constraint. □ 

It is not hard to find parameters satisfying the conditions of Theorem 



4.1. At the low end are the triples (a,b,c) = (3,5,1), (4,10,2), (4,11,1) 



(5, 17, 3), (5, 18, 2), and (5, 19, 1); the case (5, 17, 3) was used for illustration 



in the introductory section and Example |3.2 

If we look at larger numbers, we see that Cath needs to have a great deal 
fewer cards than Alice, and that Bob tends to have quite a few more. Given 
that Alice has a = p^ 1 , Cath has in the order of p, and Bob has less than p d , 
we have b = 0{ac). This improves on previous results, since the generalized 
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Atkinson protocol from [1] uses b = 0(a 2 ), independently of the value of c 
(which might be much smaller than a). We remark that all cases for c = 1 
are already covered in prior work [IJ [2] . 

We have made a few simplifying assumptions in this section, for the sake 
of exposition, but there are some straightforward generalizations that could 
be made. First, we could drop the assumption that Alice holds exactly a 
prime power of cards; if she has less, the protocol may be tweaked so that 
she holds only a portion of the hyperplane. In this case, Cath must still hold 
less cards than Alice; this is done in [1] for the case d = 2. 

Further, we have only dealt with the case where Alice arranges her cards 
in a hyperplane. This maximizes the number of cards that Alice can hold; 
however, essentially by the same arguments it could be checked that the 
simplified colouring protocol also works when Alice has any e-dimensional 
subspace of F^ with 1 < e < d. Nevertheless, the bounds for the inequalities 
become more complicated and, in any case, given that we use a 1-colouring, 
we can only derive the existence of protocols for triples (a, b, c) with c < a. 
For /c-colourings for k > 1, the picture looks a great deal brighter and more 
challenging. 

5 Alice has a line 

In this section we shall consider another extreme case: when Alice's cards 
only form a line. Despite the apparent symmetry, this case is much more 
involved than the previous and will require the full machinery of the colouring 
protocol. 

As before, let p be a prime or a prime power and d > 2. We will assume 
that e = 1, that is, Alice has as many cards as points in a line of F^. This is 
an important case because it represents when Alice has minimal information 
and, as we shall see, it will allow us to derive the existence of protocols 
for triples (a, b, c) with c 3> a. For this, the constriction of a non-trivial 
fc-colouring will be crucial. 

In what follows we will look for conditions to guarantee the existence of a 
rich and very distinguished fc-colouring for some number of colours k. First, 
let us introduce the notion of density: 

Definition 5.1. Say a k -colouring of lines £ has density m if, given a point 
x G Fp and a colour i, there are at least m i -coloured lines through x. 
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There is a close connection between density and richness; to be precise, 
a colouring that is dense enough is automatically rich. 

Lemma 5.1. If £ is a k-colouring of density c + 2, then £ is rich. 

Proof. Let E be a subset of F^ with c elements. Fix a colour % and a point 
x £ E. We note that if £, h are two distinct lines passing through x, then 
£ fl h = {x}. Therefore, E contains the disjoint union 

[j{E n £ : x G £ and £(£) = i}. 

It follows that for some £ with = i and x G £, E fl £ must be empty, 
otherwise E would have at least c + 2 elements. 

Similarly, if we pick y (jL E different from x, we see that there is an 
i-coloured line through y not meeting EU{x}, satisfying the second require- 
ment. □ 

Thus in order to construct rich colourings, we may focus on constructing 
dense colourings; this is not too difficult, as witnessed by the following: 

Lemma 5.2. Let£±, ...,£k be distinct lines ofV = F^ and assume thato~d(p) > 
k(m + 1). Then, there is a k-colouring £ of density m such that for i < k, 

t(ti) = i- 

Proof. There are a dip) > k(m + 1) non-collinear vectors in V, and hence we 
can pick a set D of mk non-collinear vectors which are not directing vectors 
of any of the lines £j. Partition D into k disjoint sets of m elements. 
Then, given a line h G V, put = % if either h — £i or h has directing 
vector in Di for some i < k. Otherwise put, for instance, = 1. It is easy 
to see that £ satisfies the desired properties. □ 

This will be sufficient for finding rich colourings. Now our goal is to 
construct a very distinguished A;-colouring for AU C. As with richness, we 
will do so by introducing a stronger, approximate notion - that of a perfect 
colouring. It is not easy to tell under which conditions very distinguished 
colourings exist or how one may go about finding one, but finding perfect 
colourings will be straightforward. 

Perfect colourings do have the disadvantage that they are not hue- invariant. 
To deal with this issue, we will first need an intermediate concept: that 
of critical colourings. Every perfect colouring is critical and every critical 
colouring is very distinguished. Perfect colourings are the easiest to identify, 
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but critical colourings are easier to work with than either perfect or very 
distinguished colourings. 

Let us then begin by defining critical colourings: 

Definition 5.2 (critical colouring). Given E C F^ ; we say that a k-colouring 
£ is critical for E if there exists a set L = {£[,... , t n } of lines of different 
colours such that, for every line h C F^, we have 

#((hnE)\{j£*)< P -k, 

i<n 

where #S stands for the cardinality of a set S. We will say the lines in L 
are ^-critical lines for E. 



The notion of critical colouring in Definition |5.2| captures an important 
difference between the 2-colourings in Figures [4] and [5] The 2-colouring in 
Figure [4] is not critical for E = A U C, as for any set of lines L that we can 
select, there is a line h such that 



#{(hnE)\\jL)>2 



V 



as the reader may verify by examination. 

On the other hand, the colouring in the left-hand side of Figure [5] is 
critical for E = A U C, the union of the two lines and the fragment. We 
select L as the two complete lines in E. Then, for any line h, the property 



of Definition 5.2 holds. In particular, the line h with the three holes is the 



line outside of L with most points in E. For that line, 
#((hnE)\\jL) =p-3<p-2. 

Recall Example |3.3| where we showed that the colouring in Figure [4] 
is insecure. Intuitively, the insecurity of a fc-colouring (in Figure [4] we have 
k = 2) is produced because AUC contains k lines, along with a line fragment 
t with k or less gaps - observe the line missing p and q in Figure |4j Then, 
though the /c-colouring is distinguished, it might not be very distinguished, 
as we may be able to travel several tones to move the k lines and fill all the 
gaps in £, thus generating k + 1 lines and repeating a colour. 

However, when A U C contains k or less lines and all fragments have 
more than k points missing, then a distinguished /c-colouring £ is always 
very distinguished. Figure [5] shows an example of this situation. 
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Figure 5: A critical 2-colouring 



Example 5.1. In the left-hand side of Figure^ AUC contains two lines and 
a fragment with three or more points missing. Alice has one of these lines, 
and Cath has the other line plus the segment. Then, a tone corresponds to 
moving a line to an empty position of the same colour, and it is not possible 
to arrange the two lines in AU C in such a way that they fill the three gaps 
in the fragment. Thus there is no configuration of the same hue for which £ 
is not distinguished, so that £ is very distinguished. 

The above considerations suggest that critical colourings are very distin- 
guished, and indeed this will turn out to be the case. Before we show this, 
let us make a simple observation: 

Lemma 5.3. If £ is a critical k-colouring for E and £ C E, then £ is a 
^-critical line for E, independently of how the other critical lines are chosen. 

Proof. Let £*,...,£* be ^-critical lines for E. Notice that since they are lines 
of different colours, we have n < k. If £ is not ^-critical then for every % < n, 
£ n £* is either empty or a singleton. It therefore follows that 

#((£n E)\{jL) = #{£\\Jt t ) > p - n > p - k, 

i<n 

which contradicts the definition of a critical /c-colouring. □ 

Now we will check that critical colourings are very distinguished. For 
this, it suffices to show that they are distinguished and hue-invariant; the 
former is straightforward, the latter rather involved. 

Lemma 5.4. Every critical k-colouring for E is distinguished for E. 
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Proof. From Lemma 5.3 it follows that if £ C E then it is critical; but there 
is at most one critical line of each colour so there cannot be h 7^ I of the 
same colour both contained in E. □ 

Lemma 5.5. Suppose £ is a critical k-colouring for E with k < p and F has 
the same hue as E. Then, £ is also a critical colouring for F. 

Proof. We shall prove this by induction on the number of tones between E 
and F. The base case (F = E) is vacuous. For the inductive step, suppose 
F = (G \ Ai) U A2 with £(Ai) = ^(^2) = j, where by induction there are 
^-critical lines £*,...,£* for G with n < k. Observe that £* = Ai; indeed, 



Ai C G, so that by Lemma 5.3, Ai = I* for some i. But £(Ai) = j, and 
therefore % = j. 

Our goal is to show that £ is also critical for F; we will do this by proving 
that the lines h*,...,h^ defined by h* = £* for i ^ j and h* = A2 are critical. 
For this it will suffice to check that if I is any line, 

(*nF)\U*?c(inG)\(j5; ( 2 ) 

i<n i<n 

this inclusion would then imply that 

#{(£nF)\\Jh*) <#((£nG)\\j£*) < P -k, 

i<n i<n 

showing that h*, . . . , h* n (and hence £) are critical for F. 

To establish (J2), pick 16 (£f)F)\ \J i<n h*. It is obvious that x e £nG, 
except in the case that x G A2. But A2 = h*, so this cannot be, and therefore 
we always have x G I fl G. 

Next, we need to check that x ^ £* for any i < k. This is obvious if i 7^ j, 
since I* = h*. Thus it remains to rule out that x G £*. If we had x G = Ai, 
we would also have that x G Ai \ h* — X± \ A2. But F does not intersect this 
set, so this is impossible. 

We conclude that ^ holds, and thus £ is critical for F, as desired. □ 

As promised, we now have the following: 
Lemma 5.6. Every critical colouring is very distinguished. 



Proof. If £ is critical for E, then by Lemma 5.5, it is also critical for every 



set of the same hue as E\ thus, by Lemma 5.4, it is also distinguished for 



every such set. □ 
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We have seen that in order to construct very distinguished colourings, 
it suffices to construct critical colourings. This has the advantage that the 
notion of being critical depends only on a set E and not on the entire hue of 
E. However, it is still not entirely obvious when exactly critical colourings 
exist or how one is to go about building one. 

This is where perfect colourings come into play. Although less well- 
behaved than critical colourings, they are very easy to identify, and every 
perfect colouring is automatically critical. 

Definition 5.3 (perfect ^-colouring). Given E C let L m (E) denote the 
set of all lines £ such that n E) > m. 

We say that a k-colouring £ is perfect for E if different elements of 
L p _ k (E) have different colours. 

Perfect colourings are thus quite easy to identify and construct, yet they 
are always very distinguished: 

Proposition 5.1. If is a perfect colouring for E, then £ is very distin- 
guished for E. 

Proof. First we note that £ is critical, since we can take all of L p _k{E) as 



critical lines, given that they are all of different colour. Then, by Lemma 5.6 



we have that £ is very distinguished, as required. □ 

Now for the main result of this section: 
Theorem 5.1. Assume that a,b,c,d,k satisfy the following conditions: 

1. a is a prime or a prime power, 

2. a + b + c = a d , 

3. k < a, 

4- for every SCFf with #S < a + c, we have #L a _ k (S) < k; 
5. a d {a) > fc(c + 3). 
Then, the colouring protocol is executable. 
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Proof. By assumption, #L a _ k (AuC) < k, so Bob can enumerate L a _ k (AuC) 
by £ = (£i, . . . ,£ n ), with n < k. Then, by Lemma 5.2 there exists a colouring 



£ with density c + 2 and such that = z, which by construction is perfect 
for A U C, so that by Proposition |5.1[ it is also very distinguished. Further, 



by Lemma 5.1, we see that £ is rich, as needed. □ 



The above proof should be seen as a theoretical argument that very dis- 
tinguished colourings exist under the above conditions - but never as an 
algorithm for constructing them. The reason is as follows. Perfect colourings 
are not hue-invariant. Thus if Bob were always to choose a perfect colour- 
ing, Cath may be able to infer additional information from this. Colourings 
should be chosen homogeneously within a hue, either by picking them ran- 
domly each time or by selecting a uniform representative a priori. Whether 
there are good algorithms for doing this is a question we shall leave open. 

5.1 Some bounds 



The conditions given by Theorem 5A while rather general, remain somewhat 
implicit. In this subsection we shall compute some explicit bounds on the pa- 
rameters which guarantee that these conditions are met. The computations 
we will make are a bit rough, but will nevertheless give us a large family of 
parameters for which the protocol is guaranteed to work. 
They are based on the following counting lemma: 

Lemma 5.7. If a set E C is such that #E < (k + l)(p - k) - ( k + 1 ) k /2, 
then 

#L p _ k (E) < k. 

Proof. We argue by contrapositive, assuming that #L p _ k (E) > k. 

Let £i, . . . ,£ k +i be distinct lines such that #(E C\£i) > p — k. Then, we 

> # U ^ nE ^ 

i<k+l 

> J2 #(^ n ^)- E #(*n4) 

i<k+l i<j<k+l 

> (k + l){p — k) — ( fc + 1 ) fe /2. 

□ 
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Thus in view of Theorem 5.1, in order to find suitable parameters, it 
suffices to solve the system of inequalities 

1. a + c < (k + l)(a - k) - (*+i)*/2 
n d — 1 

> k(c + 3) 



a — 1 

or, simplifying a bit, 

1. c<ak- 3(fc+i)fc/ 2 



2. a d > fc(a- l)(c + 3). 

From this we immediately obtain the following 'asymptotic' result: 
Theorem 5.2. For a large enough, the above inequalities hold for 

1. c< 0(a 3 / 2 ) and d = 3, 

£. c < 0(a 2 ) and d = 4. 

Proof. For the first result, set ~ and c < a3/2 /2. 
Then, we have that 

ak- 3k{ \ +1) =a^ + 0(a), 

which for large a is greater than a3/2 /2. 
Meanwhile, 

k(a- l)(c + 3) = a3 /2 + 0(a 2 ), 

which for large a is bounded by a 3 . 

The second is similar; here, set k ~ a / 2 and c ~ a2 /9. □ 

A nice conclusion we obtain from the above result is that indeed c can 
be larger than a by any order of magnitude we desire, provided a is large 
enough: 

Corollary 5.1. Given any natural number N, there exist a, c such that c /a > 
N and the colouring protocol is executable, sound and informative for (a, a 3 — 
a — c, c) . 
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Proof. If a ^> iV 2 then a A l 2 = (a 1 / 2 ) a ^> Na and, by Theorem 
required inequalities hold and the protocol is executable. 



5.2 



the 

□ 



Note that we may use Theorem 5.2 1 or Theorem 5.2 2 depending on 
whether we wish to keep b relatively small with respect to a or a relatively 
small with respect to c. In either case, b = 0(c 2 ). Note also that our com- 
putations are heuristic and do not rule out the possibility of better bounds 
being obtained. 



6 Conclusions and further research 

The colouring protocol we have presented gives a new and flexible solution 
to the generalized Russian cards problem. Although inspired on Atkinson's 
protocol, the introduction of colourings allows us to apply it in many more 
instances. In particular, our protocol solves the problem in many cases where 
the eavesdropper has more cards than one of the players, and is the first 
known solution to achieve this. In fact, if the generalized Russian cards 
problem is to be understood as Find triples (a, b, c) for which a sound and 
informative protocol exists, then the current work is a giant stride over what 
had been previously achieved. 

The computations in the case that Alice has a hyperplane could be carried 
out in much the same way over projective rather than vector spaces, thus 
obtaining a solution that is closer to Atkinson's. Our choice of working on 
vector spaces was due to the fact that, in the case that Alice has a line, many 
of the constructions seemed to work out more easily. However, it might be 
possible, and would be interesting, to study the projective version of the 
colouring protocol. 

Actually, there are many variations that could be analyzed and might 
yield important results. We only considered the "extreme" cases where Alice 
has either a line or a hyperplane, and while one might argue that these 
are important (Alice's information is either minimal or maximal), a more 
thorough analysis which includes intermediate cases should be pursued, along 
with other variations: Alice may have more than one e-space, there may be 
more players, Cath may be allowed to learn a few of the cards, etc. Along 
these lines, a particularly promising direction would be to replace linear 
spaces by other algebraic curves. This could, potentially, reduce the size of 
the whole space (and hence Bob's hand) without compromising the existence 
of suitable colourings. 
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A different direction to pursue involves cases where either a or a + b+ c are 
not prime powers. There are already standard techniques to deal with these; 
one finds a prime which is not much larger than the desired parameter and 
works with that instead. Such techniques have already been used to extend 
a different protocol to many new triples in [2] but have not been worked out 
in our context. 

Meanwhile, the generalized Russian cards problem may have a recre- 
ational flavour to it, but this is misleading; secret-exchange protocols beg for 
serious applications in secure communication. Unfortunately, concrete ap- 
plications have not yet been developed, even theoretically. One could argue 
that part of the reason for this is that no sufficiently general solution to the 
problem was available; one could then go on to argue that the present work 
changes this situation. 

Protocols based on the generalized Russian cards problem have an advan- 
tage over most traditional encryption methods in that they are "uncondition- 
ally secure", meaning that an eavesdropper is unable to decypher messages 
even when granted unlimited computational capacity. The drawback is that 
it presupposes a secure "dealing stage" , which in most potential applications 
would not be available. 

Real-world implementation of these protocols would also require an ad- 
ditional computational and probabilistic analysis. What is the complexity 
of running the colouring protocol? Are there good algorithms for finding 
suitable colourings? Even if Cath does not learn any cards, what is the 
probability that she guesses them correctly? 

To summarize, there is much to be done indeed! 
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